"A Travelers Cos. unit has filed suit against restaurant chain P.F. Chang's China Bistro Inc. seeking a judicial declaration that it is not obligated under its commercial general liability policies to provide indemnity coverage or defense costs in connection with a data breach announced earlier this year. Travelers says in a lawsuit filed in federal District Court in Hartford, Connecticut, Oct. 2 that it is not obligated to provide coverage to the Scottsdale, Arizona-based chain under the one-year CGL polices it issued in January 2013 and January 2014. It states the chain has separate cyber coverage with an unidentified insurer."

Prior cases have established that cyber incidents are rarely covered under CGL policies, and companies relying on such policies for cyber coverage are taking on risks that may not be quantifiable. Accordingly, firms (and, in many cases, their attorneys) should conduct a comprehensive review of their policies to determine what cyber risks are covered. And specific attention should be paid to whether coverage applies to attacks over time (which occurs in many situations) as opposed to only specific events. Regardless of how the Connecticut court rules, it seems very unlikely that policies that do not provide specific cyber liability coverage will be of use to companies in the wake of a data breach or other cyber-attack.